10/16/2018

New Email Attack Shows How Hackers Can Hijack a Legitimate Email Thread

by Guest Blogger David Bisson

Most of us know the tell-tale signs of an ordinary phishing email. You open your inbox to discover an unsolicited email from someone you don’t know. The email contains lots of spelling errors and directs the recipient to click on a suspicious attachment or embedded link. Using those tactics, fraudsters infect the recipient’s computer with malware or steal their account credentials.

Unfortunately, not all phishing campaigns are that easy to spot. Many ordinary users now know to watch for the attack indicators described above. To counter this upswing in awareness, digital attackers are turning to more sophisticated techniques to prey upon users.

Hijacking Ongoing Conversations to Deliver Ursnif

One such campaign, which is ongoing, came in the form of a malware-laden phishing email delivered to a user’s inbox. What made this attack email stand out was the fact that the fraudsters sent it as a response to an ongoing email conversation, thereby increasing the likelihood that the recipient would believe the message to be legitimate. The email also contained no grammatical or spelling mistakes and used a signature.

If the recipient double-clicked the attached document, the document executed a PowerShell script that downloaded the latest version of the Ursnif malware from the Ursnif’s command-and-control (C&C) server. Once downloaded, another PowerShell script then searched for “Client32/Client64” in the registry key. This DLL file is the final payload used by Ursnif to steal victim’s information including their email credentials, cookies, certificates and financial login details via webinjects.

Detecting Sophisticated Phishing Campaigns

Clearly, the campaign described above surpasses standard phishing attacks in its sophistication. But it’s not perfect in its design. On the contrary, several factors gave away the attack email as a fake email reply. These indicators included the following:

Attackers wrote their email in English even though previous exchanges in the conversation were sometimes written in other languages.

The signature at the bottom of the attack email was different than those included in earlier responses.

The actual body of the attack email, which reads “Good morning. Please see attached, let me know if you have questions,” is out of context with the rest of the conversation.

Then again, the attack email doesn’t spoof the sender. All replies to the attack email would be sent back to the compromised email account, often still under the control of the attacker. This means that whoever sent out the attack email did so by first obtaining authenticated access to the sender’s email account, likely from a previous phishing attack, and then abusing that access to send out the email.

Phishing campaigns that consist of multiple stages warrant a multi-layered email defense strategy. This approach should be capable of analyzing email messages at multiple layers starting with IP addresses and URLs. From there, it should dig down into each message for targeted phrases and campaign patterns. Finally, the approach should search each malicious email for indicators of known malware strains as well as zero-day attacks. Enhancing this protection further should be machine-learning, traffic analysis and real-time threat analysts.

ZixProtect conducts these different levels of analysis with enhanced protection all from within one solution. Learn how to keep your email, employees, and business safe from the latest email threats.